Hi,
On Mon, Dec 23, 2024 at 2:09 PM Dmitry Krasov via FreeIPA-users <
[email protected]> wrote:
> I checked the date and got:
>
> Not Before: Wed Nov 30 05:25:15 2022
> Not After : Tue Nov 19 05:25:15 2024
> Not Before: Wed Nov 30 05:25:14 2022
> Not After : Tue Nov 19 05:25:14 2024
> Not Before: Wed Nov 30 05:25:14 2022
> Not After : Tue Nov 19 05:25:14 2024
> Not Before: Wed Nov 30 05:25:14 2022
> Not After : Sun Nov 30 05:25:14 2042
> Not Before: Wed Nov 30 05:25:14 2022
> Not After : Tue Nov 19 05:25:14 2024
> Not Before: Wed Nov 30 05:25:36 2022
> Not After : Tue Nov 19 05:25:36 2024
> Not Before: Wed Nov 30 05:26:25 2022
> Not After : Sat Nov 30 05:26:25 2024
> Not Before: Wed Nov 30 05:26:05 2022
> Not After : Sat Nov 30 05:26:05 2024
>
> I changed it to Nov 17 00:00:00 2024
> ipactl restart
>
> But I was able to update the last 2 certs only (Server-Cert)
> --------------------
> getcert resubmit -i 20221130052539 log:
>
> Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23
> 25 26}) 65.152.254.100: NEEDED_PREAUTH: host/[email protected] for
> krbtgt/[email protected], Additional pre-authentication required
> Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5
> Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: AS_REQ (6 etypes {18 17 16 23
> 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18
> ses=18}, host/[email protected] for krbtgt/[email protected]
> Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5
> Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1
> Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1
> Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: TGS_REQ (6 etypes {18 17 16 23
> 25 26}) 65.152.254.100: ISSUE: authtime 1731789998, etypes {rep=18 tkt=18
> ses=18}, host/[email protected] for ldap/[email protected]
> Nov 17 00:46:38 ipa.dom.loc krb5kdc[1456]: closing down fd 5
> Nov 17 00:46:38 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 1
> Nov 17 00:46:38 ipa.dom.loc python2[10168]: GSSAPI client step 1
> Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 2
> Nov 17 00:46:39 ipa.dom.loc python2[10168]: GSSAPI client step 2
> Nov 17 00:46:39 ipa.dom.loc ns-slapd[9642]: GSSAPI server step 3
> Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]:
> Forwarding request to dogtag-ipa-renew-agent
> Nov 17 00:46:39 ipa.dom.loc dogtag-ipa-ca-renew-agent-submit[10168]:
> dogtag-ipa-renew-agent returned 3
> Nov 17 00:46:39 ipa.dom.loc certmonger[1032]: 2024-11-17 00:46:39 [1032]
> Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview:
> Problem with the SSL CA cert (path? access rights?).
>
> ----------------------------
>
> Request ID '20221130052539':
> status: CA_UNREACHABLE
> ca-error: Error 77 connecting to
> https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL
> CA cert (path? access rights?).
>
This error happens when the file /etc/ipa/ca.crt is missing or not
readable. On my system I have
-rw-r--r--. 1 root root
If the file is missing, you can re-create it. It must contain IPA CA
certificate (if it's self-signed) or IPA CA and its chain (if it is
externally signed).
You can find IPA CA cert using:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
-a
Copy-paste the output in /etc/ipa/ca.crt, set the right permissions, re-try
getcert resubmit.
flo
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=DOM.LOC
> subject: CN=CA Audit,O=DOM.LOC
> expires: 2024-11-19 05:25:15 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
